Thu | Apr 14, 2022 | 4:50 PM PDT

Executives and business leaders often face a difficult decision when their organization falls victim to a cyberattack. It's a mad scramble to figure out what information was stolen or encrypted, who could be behind the attack, how to notify customers their private information could be impacted—the list goes on and on.

Sometimes, organizations do the right thing. They report the incident to appropriate authorities, notify those affected, and do everything they can to remediate the unfortunate situation. Other times, organizations think they might be able to sweep the incident under the rug in fear of public backlash or falling stock prices.

In this case, T-Mobile had to make a decision on how to act after hackers stole data of roughly 30 million customers

After publicly acknowledging the data breach, the telecommunications giant hired a third-party security vendor to investigate the incident. The vendor ultimately paid the hackers $200,000 in a failed attempt to secure exclusive rights to the data, according to Vice's Motherboard.

T-Mobile hired Mandiant to buy back stolen data

Earlier this week, the U.S. Department of Justice unsealed charges against 21-year-old Diogo Santos Coelho, the alleged founder and chief administrator of RaidForums, one of the world's most popular marketplaces for cybercriminals.

Court documents show that back in August 2021, the same month T-Mobile discovered the breach, a very particular set of data was advertised on RaidForums:

"On or about August 11, 2021, an individual using the moniker 'SubVirt' posted on the RaidForums website an offer to sell recently hacked data with the following title: 'SELLING-124M-U-S-A-SSN-DOB-DL-database-freshly-breached.'"

The thread title was later changed to "SELLING 30M SSN + DL + DOB database." The victim company was not named in the document and is referred to as "Company 3," but another post on the forum said the data belonged to "a major telecommunications company and wireless network operator that provides services in the United States."

You don't need to be Sherlock Holmes to connect the dots on that one.

The document continues to describe what happened next:

"After this post, Company 3 hired a third-party to purchase exclusive access to the database to prevent it from being sold to criminals. A third-party employee then posed as a prospective buyer and used Omnipotent's [Coelho's forum admin identity] middleman service to purchase a sample of the databases for a Bitcoin amount that was then equivalent to approximately $50,000.

Subsequently, an employee of the third-party again used Omnipotent's middleman service to purchase the entire database for a Bitcoin amount that was then equivalent to approximately $150,00. The agreement was for 'SubVirt' to then destroy their copy of the database; however, it appears the co-conspirators continued to attempt to sell the databases after the third-party's purchase."

Motherboard also claims to have spoken with the individual selling the data and confirmed the hacker had accurate information on T-Mobile customers.

Though the third-party security vendor was not named in court documents, T-Mobile CEO Mike Sievert thanked Mandiant for its help in an August 2021 statement:

"Through our investigation into this incident, which has been supported by world-class security experts Mandiant from the very beginning, we now know how this bad actor illegally gained entry to our servers and we have closed those access points. We are confident that there is no ongoing risk to customer data from this breach."

If Mandiant was involved with this incident from "the very beginning," it would make a lot of sense that they were the ones who facilitated the $200,000 payment to the cybercriminals. 

Cybersecurity vendors use controversial incident response tactics

While it's unfortunate for those involved that Mandiant was unable to retain exclusive access to the stolen data, cybersecurity vendors are often hired to do incident response and mitigate a situation as best they can. Sometimes they have to get their hands a little dirty.

Earlier this year, the hacking group Lapsus$ made quite a splash on the cybercriminal scene after pulling off hacks on some of the world's largest tech companies, including Nvidia, Samsung, Ubisoft, Microsoft, and Okta.

Lapsus$ later posted on their Telegram channel saying that someone had hacked into a device the group was using to store the stolen Nvidia data and deployed ransomware. They claim it was Nvidia.

This type of "hack back" tactic, when an organization takes offensive action against cybercriminals, is growing in popularity and not all too different from what Mandiant did, in terms of controversial incident response tactics.

Were Mandiant successful in retaining exclusive access to the data, it's possible that nobody would know they paid hackers $200,000 and T-Mobile might not have needed to publicly disclose the data breach.

Since that was not the case, lessons can be learned for those involved and others who might find themselves in an incident response situation.

Original story by Vice's Motherboard.

Comments